Organization Preparation FAILED The ErrorRecord: Microsoft.Exchange.Data.Directory.ADObjectAlreadyExistsException: Active Directory operation failed

and this is the part of the ExchangeSetup.Log for more details:

[12/22/2014 18:01:09.0096] [1] Executing:
      initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions
[12/22/2014 18:01:09.0299] [2] Active Directory session settings for 'initialize-ExchangeUniversalGroups' are: View Entire Forest: 'True', Configuration Domain Controller: 'PRODDC01.MyDomain.com', Preferred Global Catalog: 'PRODDC01.MyDomain.com', Preferred Domain Controllers: '{ PRODDC01.MyDomain.com }'
[12/22/2014 18:01:09.0299] [2] Beginning processing initialize-ExchangeUniversalGroups -DomainController:'PRODDC01.MyDomain.com' -ActiveDirectorySplitPermissions:$null
[12/22/2014 18:01:09.0315] [2] Used domain controller PRODDC01.MyDomain.com to read object DC=MyDomain,DC=com.
[12/22/2014 18:01:09.0315] [2] Used domain controller PRODDC01.MyDomain.com to read object CN=Configuration,DC=MyDomain,DC=com.
[12/22/2014 18:01:09.0315] [2] Used domain controller PRODDC01.MyDomain.com to read object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=MyDomain,DC=com.
[12/22/2014 18:01:10.0940] [2] Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 18:01:10.0940] [2] The object exists.
[12/22/2014 18:01:11.0143] [2] Ending processing initialize-ExchangeUniversalGroups
[12/22/2014 18:01:11.0143] [1] The following 1 error(s) occurred during task execution:
[12/22/2014 18:01:11.0143] [1] 0.  ErrorRecord: Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 18:01:11.0143] [1] 0.  ErrorRecord: Microsoft.Exchange.Data.Directory.ADObjectAlreadyExistsException: Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists. ---> System.DirectoryServices.Protocols.DirectoryOperationException: The object exists.
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
   at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, IAccountingObject budget, Nullable`1 clientSideSearchTimeout)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Data.Directory.ADSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Exchange.Data.Directory.ADSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException)
   at Microsoft.Exchange.Data.Directory.ADSession.Save(ADObject instanceToSave, IEnumerable`1 properties)
   at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateExchangeUSGContainer(String name, ADSystemConfigurationSession session, ADObjectId domain)
   at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()
[12/22/2014 18:01:11.0158] [1] The following error was generated when "$error.Clear();
      initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions" was run: "Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.".
[12/22/2014 18:01:11.0158] [1] Active Directory operation failed on PRODDC01.MyDomain.com. The object 'OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=com' already exists.
[12/22/2014 18:01:11.0158] [1] The object exists.
[12/22/2014 18:01:11.0158] [1] [ERROR-REFERENCE] Id=443949901 Component=
[12/22/2014 18:01:11.0158] [1] Setup is stopping now because of one or more critical errors.
[12/22/2014 18:01:11.0158] [1] Finished executing component tasks.
[12/22/2014 18:01:11.0377] [1] Ending processing Install-ExchangeOrganization
[12/22/2014 18:01:11.0580] [0] The Exchange Server setup operation didn't complete.  More details can be found in ExchangeSetup.log located in the <SystemDrive>:\ExchangeSetupLogs folder.
[12/22/2014 18:01:11.0783] [0] End of Setup
[12/22/2014 18:01:11.0783] [0] **********************************************

Hi ITSystemsEngineer,

So are you upgrading from a previous version of Exchange 2010? If so, the only schema update you need to do is.

Setup.com /PrepareAD

You don't need to run any of the others. Check out my blog post on upgrading to SP3 here.

https://supertekboy.com/2014/05/01/exchange-2010-installing-service-pack-3/

I would also recommend NEVER moving or deleting the Exchange Security Groups.

Hi Gareth,

I'm trying to update SP2 to SP3 and yes, I only try to execute the "Setup.com /PrepareAD" command in the AD/DC Schema master role but it is failed.

The AD security group is not exist in the ADUC console ?

Well it doesn't exist in the root domain. but somehow setup.com complains that it exist in AD eventhough I can't see it anywhere.

Yes this is just a single domain forest. I don't have multiple.

split-AD permissions? what is that ? I'm new to Exchange Server 2010

My account is already granted or member of the Enterprise, Domain and Schema admins.

Thanks fo the reply Amit.

Since I'm running the setup.com from the DC using RDP, so do I have to run "ServerManagerCmd -i RSAT-ADDS" ?

My problem is in the missing Exchange AD Security group which stops me in continuing the SP3 upgrade.

If you are running from DC, then you don't need it. Did you try to ran cmd as administrator and tried.

Yes I have already tried with the Run as Administrator.
not sure as to why this missing security group stopping me from installing SP3 :-/

That is an important group, you run prepare domain first using sp2 and then try again.

ok, so in Exchange Server 2010 environment (all SP version), does that group MUST exist in the Active Directory Users & Computers console under the domain.com ?

My understanding is that it was only needed for Exchange Server 2007 but not 2010.

Why do I have to run it using the older setup files on my working production servers ?

Gareth,

I cannot see it under my Member Of tab. When I run the Exchange BPA, the wizard result reports that the group is empty.

However, I can still add myself into the group using the Exchange Management console from Outlook Web App.

Upon checking the membeship from ADUC console in the member of tab, I got this error pop up when clicking on the Organization Management group.

---------------------------
Active Directory Domain Services
---------------------------
There is no such object on the server.
---------------------------
OK  
---------------------------

but the entry still exist on the Member Of tab.

Re-running the Setup.com /PrepareAD in the Schema Master role elevated command prompt still gives me the same error message.

I'm not sure hot to check if my Exchange Server was setup as split permission or RBAC by my predecessor.
Is there any way to check it ?

DO I have to execute the service pack as the following command instead ?

Setup.com /PrepareAD /ActiveDirectorySplitPermissions:True

Select allOpen in new window

I am assuming a search of AD doesn't turn up the Organization Management group either?

Check this article. Specifically the last section titled "Switch from Active Directory split permissions to shared permissions"
http://technet.microsoft.com/en-us/library/dd638146(v=exchg.150).aspx

To disable split-permissions you would actually toggle it to False.

search of AD doesn't turn up the Organization Management group either?

yes that is the case, I cannot find all of the following security group through the ADUC:

"Exchange Organization Administrators"
"Microsoft Exchange Security Groups"
"Organization Management"

but when I execute the powershell command below I can see them listed and associated with my user account and some groups.

[PS] C:\Windows\system32>get-rolegroupmember "organization management" | ft -AutoSize

Name                                 RecipientType
----                                 -------------
Exchange Organization Administrators Group
Administrator                        UserMailbox
Alex Santana                         UserMailbox
Mail Security Service Account        UserMailbox
John Henry                               UserMailbox


[PS] C:\Windows\system32>get-rolegroupmember "recipient management" | ft -AutoSize

Name                              RecipientType
----                              -------------
Exchange Recipient Administrators Group
IT-Helpdesk-HeadOffice            Group


[PS] C:\Windows\system32>

Gareth,
My goal here is to allow SP3 installation to be applied in all Exchange 2010 servers, I don't want to mess around with the current security scheme because i don't know how to set it up and why it was setup before.

I wonder if there is anything wrong with that DC perhaps. I noticed setup was hitting PRODDC1.

Maybe we could force setup to use another DC?

Can't remember if you can couple /PrepareAD with /DomainController switches.

Better call MS.

One other random thought. Not sure what level your AD forest is at.

But those objects aren't in the AD Lost and Found / Recycle Bin are they?

Gareth, both Domain and Forest functional level is at Windows Server 2003

Somehow I cannot find the result after following this steps in http://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx

here's the view from the Lost & Found:

Yea I agree with Amit. I think this is a call to Microsoft.

ok, I'm inclined towards doing the steps described here: http://www.itguydiaries.net/2012/07/omg-exchange-security-groups-were.html

I know that the error message is different but somehow I cannot find all of the Exchange builtin Security group that were supposed to be there.

so can I actually perform the steps described in the above web page and then continuing with the Setup.com /prepareAD without causing any email downtime or problem later on ?

Hmmm. I've seen these steps before. Never tried them though.

yeah, that's the thing.
Because the error message in the ExchangeSetup.LOG is totally different from what you can see in the blog above.

But interestingly is that the author of the blog describes how to repopulate the builtin AD security group to continue with the SP installation.

My assumption is that during the Schema update /Extension in the Domain Controller, Exchange will still be working during business hours right ? please correct me if I'm wrong.

There is no downtime while you are running the schema updates.

ok so in my case here I need some clarification. Does the normal working condition of Exchange server 2010 requires the following example of the built in security group to exist in AD ?
Exchange Organization Administrators"
"Microsoft Exchange Security Groups"
"Organization Management"

Regardless what the security mechanism that is used.

I got confused myself as to why I must recreate the simple AD security group through Setup.com package.

Thanks Gareth,

So in order to restore those missing groups is there any outage required to run those setup.com /prepareAD after clearing the corrupted ADSI edit entry ?

Thanks !

ok, I just realized that my AD user account cannot see those builtin AD security group.
I can now see them using the DOMAIN\Administrator account.

That's very strange :-/ because my DOMAIN\Username is already member of the Schema and the Enterprise Administrator, but somehow it is showing the Security group as corrupted object,